BIND and TCP

Peter Dambier peter at peter-dambier.de
Sat Sep 24 12:09:28 UTC 2005 

Kevin Darcy wrote:
> Michael Bernhardt wrote:
> 
> 
>>I'm running BIND 9.2.3. Our outside servers are set to only allow zone
>>transfers to our ISP's slave. Our firewall is set to only allow UDP packets
>>to them, except to/from that slave. But we can see that the server does
>>attempt TCP traffic to other DNS servers anyway. No one seems to complain
>>about poor performance but maybe the lack of TCP shows up in other ways?
>>
>>I understand that BIND will use TCP for queries when the packet size of 512
>>is insufficient (if that's not correct, please educate me). I also am to
>>understand the RFC supposedly requires that DNS use TCP in these
>>circumstances. But we do not want to be bothered with everyone and their
>>bored brothers being able to do any more than absolutely necessary.
>>

It happens from time to time that DNS via UDP does not work. Bind automatically
switches to UDP then.

If TCP does not work then somebodies mailer will bounce emails for you saying
something like "DNS: recipient does not exist". Ofcourse you will never see
these emails because they are bounced back to sender. They will never complain
to you because they cannot send you any emails. Maybe you loose some customers.
Who cares?

>>Is there a way to tell BIND to never use TCP? Does anyone have
>>recommendations on how to best balance security and proper application, with
>>the edge going toward security? Can't find anything on this in the O'Reilly
>>BIND book but maybe I missed it.
>>

Keep it behind your firewall and dont accept any queries from outside.
Obviously you only need it for your local lan.

> 
> Frankly, I think that's a rather irresponsible attitude. "No one seems 
> to complain" about the fact that you're blocking responses to their 
> queries for no good reason?!?!?! Maybe you've just been lucky so far, 
> but it's going to be your ass on the line if some important VIP's app 
> fails some day because of your poor DNS infrastructure design decision.
> 

Indeed more and more people running their own DNS try to AXFR zones they
need regularly. Having a copy of a zone you can see when somebody tries
to trick your machine to ask for a poisoned page.

DNSSEC would help too but with most of the root-servers beeing multicasted
there will never be DNSSEC.

> EDNS0 will lessen the need for TCP retry, but there will always be 
> situations where it is necessary. And you do a disservice to your users, 
> IMO, by being more concerned about "bored brothers" and what they may be 
> up to, than you are about their ability to resolve perfectly legitimate 
> DNS queries.
> 
> - Kevin

Seeing not many servers able to reply using EDNS0 mostly nobody uses EDNS0.
Maybe they have the wrong version of bind or no bind at all
  or even windows :)

Maybe it is people like Michael configuring firewalls, why EDNS0 does not
work.

I hope for EDNS9 someday to enable AXFR via UDP :)


Kind regards,
Peter and Karin


-- 
Peter and Karin Dambier
Public-Root
Graeffstrasse 14
D-64646 Heppenheim
+49-6252-671788 (Telekom)
+49-179-108-3978 (O2 Genion)
+49-6252-750308 (VoIP: sipgate.de)
+1-360-448-1275 (VoIP: freeworldialup.com)
mail: peter at peter-dambier.de
http://iason.site.voila.fr
http://www.kokoom.com/iason

More information about the bind-users mailing list